[Snort-devel] CPU killing in build 24

Daniel Roelker droelker at ...402...
Thu Nov 7 08:51:02 EST 2002


Try to isolate the problem by taking out preprocessors and changing config
options.

Some suggestions:

* config detection: search-method ac no_stream_inserts
* only reassemble client with stream4.
* take out each preprocessor in individual test runs.

On 11/7/02 11:12 AM, "Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> wrote:

> 
> On some of our systems we use snort2.... The snort2 build we're using is
> 10.  We had rebuilt from build 1 to solve the problem that is now
> occuring again in build 24.
> 
> I believe in the past the problem was related to something in portscan2,
> as well as some changes that were overwritten when the snort2 code was
> merged.  I can't seem to find those problems being overwritten again,
> and we're not even using portscan2 or conversation on the problem
> snort2s.  Yesterday we compiled and installed snort2 build 24 on our
> test systems... And discovered that after a random period of time
> (usually greater than a few minutes), the snort2-24 was sucking down
> every ounce of CPU it could get, while not processing any incoming data.
> We have some fairly regular attempts that hit our test machines, so when
> the logging stopped, I checked the graphs for our CPU usage and found
> that they correlated to the same time.
> 
> We're using:
> search-method mwm
> Stream4 (reassemble both, ports all)
> http_decode
> HttpFlow
> rpc_decode
> telnet_decode
> bo
> 
> And the latest set of rules from cvs.
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: See the NEW Palm
> Tungsten T handheld. Power & Color in a compact size!
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 

-- 
Daniel Roelker
Software Engineer
droelker at ...402...

www.sourcefire.com
www.snort.org







More information about the Snort-devel mailing list